These types of issues are the biggest reason why I avoid javascript/npm projects. I came back to a project after a few months and it was broken, had to rewrite some parts and upgrade other parts just to get it to run again.
I'm sorry but for all the flaws of the NPM ecosystem, version locking is not one (both `npm` and `yarn` do much much better than anything in Python). There's no reason a correctly set-up project would magically break with time.
I don't love NPM anymore than the next guy, but my blame will go to the dev in this case.
No, version locking is a disaster in npm and yarn both (and ppm appears to do the same thing). For it to be _safe_, you have to opt into `--ci` or `--frozen-lockfile`.
Cargo, Mix, and Ruby’s Bundler _all_ do an infinitely better job because they don’t let dependencies upgrade on you behind the scene. Their lockfiles are really lockfiles. No ifs, ands, or buts.
`--frozen-lockfile` and the equivalent should be the DEFAULT behaviour, not this pseudo-locked nonsense that currently exists.
